From 51eab33d068028cba416e01a9260af394b35e90a Mon Sep 17 00:00:00 2001 From: Jonathon Reinhart Date: Sun, 23 Aug 2015 18:38:28 -0400 Subject: [PATCH 01/10] update CREDITS.TXT --- CREDITS.TXT | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CREDITS.TXT b/CREDITS.TXT index c9999944..ab404d7e 100644 --- a/CREDITS.TXT +++ b/CREDITS.TXT @@ -23,7 +23,7 @@ Darel Griffin, NCC Group Anton Cherepanov Mohamed Saher (halsten) Tyler Colgan -Jonathon Reinhart, jonathon.reinhart at gmail.com +Jonathon Reinhart Blue Skeye Chris Maixner Pancake "radare" From c55ad00e2ade32b111ebf8763fc32f941c4a63a0 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 24 Aug 2015 17:48:30 +0800 Subject: [PATCH 02/10] samples: use -e rather than -a to check for file existence in Makefile --- samples/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/Makefile b/samples/Makefile index 5cc32ee7..1ebb891f 100644 --- a/samples/Makefile +++ b/samples/Makefile @@ -75,7 +75,7 @@ endif .PHONY: all clean -UNICORN_ARCHS := $(shell if [ -a ../config.log ]; then cat ../config.log;\ +UNICORN_ARCHS := $(shell if [ -e ../config.log ]; then cat ../config.log;\ else printf "$(UNICORN_ARCHS)"; fi) SOURCES = From cae6a93e1b77b0be25f3364043b5376869297586 Mon Sep 17 00:00:00 2001 From: radare Date: Mon, 24 Aug 2015 12:11:59 +0200 Subject: [PATCH 03/10] Update CREDITS.TXT --- CREDITS.TXT | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CREDITS.TXT b/CREDITS.TXT index c9999944..ed9ec5be 100644 --- a/CREDITS.TXT +++ b/CREDITS.TXT @@ -26,7 +26,7 @@ Tyler Colgan Jonathon Reinhart, jonathon.reinhart at gmail.com Blue Skeye Chris Maixner -Pancake "radare" +Sergi Alvarez, aka pancake (author of radare) Ryan Hileman Tim "diff" Strazzere WanderingGlitch of the Zero Day Initiative From ba39dd3374e8fb934cfbae2a26d6d5adc95fc26b Mon Sep 17 00:00:00 2001 From: pancake Date: Mon, 24 Aug 2015 13:00:54 +0200 Subject: [PATCH 04/10] Add regression test for the map crash --- regress/Makefile | 11 +++++++++++ regress/map_crash.c | 29 +++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 regress/Makefile create mode 100644 regress/map_crash.c diff --git a/regress/Makefile b/regress/Makefile new file mode 100644 index 00000000..159489d0 --- /dev/null +++ b/regress/Makefile @@ -0,0 +1,11 @@ +CFLAGS+=-I../include +LDFLAGS=-L.. -lunicorn + +TESTS=map_crash map_regs + +all: $(TESTS) + +clean: + rm -f $(TESTS) + +.PHONY: all clean diff --git a/regress/map_crash.c b/regress/map_crash.c new file mode 100644 index 00000000..e7bc78a7 --- /dev/null +++ b/regress/map_crash.c @@ -0,0 +1,29 @@ +#include +#include +#include +#include + +#define UC_BUG_WRITE_SIZE 13000 +#define UC_BUG_WRITE_ADDR 0x1000 + +int main() { + int size; + uint8_t *buf; + uch uh; + uc_err err = uc_open (UC_ARCH_X86, UC_MODE_64, &uh); + if (err) { + fprintf (stderr, "Cannot initialize unicorn\n"); + return 1; + } + size = UC_BUG_WRITE_SIZE; + buf = malloc (size); + if (!buf) { + fprintf (stderr, "Cannot allocate\n"); + return 1; + } + memset (buf, 0, size); + uc_mem_map (uh, UC_BUG_WRITE_ADDR, size); + uc_mem_write (uh, UC_BUG_WRITE_ADDR, buf, size); + uc_close (&uh); + return 0; +} From 79effb2df5454e5670036832b6e3f56af5ddf797 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 24 Aug 2015 20:07:36 +0800 Subject: [PATCH 05/10] fix regress/map_crash.c so it does not crash any more --- regress/Makefile | 4 +++- regress/map_crash.c | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 159489d0..10f6c0d6 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,9 @@ +.PHONY: all clean + CFLAGS+=-I../include LDFLAGS=-L.. -lunicorn -TESTS=map_crash map_regs +TESTS = map_crash all: $(TESTS) diff --git a/regress/map_crash.c b/regress/map_crash.c index e7bc78a7..375a3fa1 100644 --- a/regress/map_crash.c +++ b/regress/map_crash.c @@ -4,7 +4,8 @@ #include #define UC_BUG_WRITE_SIZE 13000 -#define UC_BUG_WRITE_ADDR 0x1000 +//#define UC_BUG_WRITE_ADDR 0x1000 +#define UC_BUG_WRITE_ADDR 0x2000 int main() { int size; From ebaa542702625d248282f79f4fd4852c3e24e0be Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 24 Aug 2015 20:21:57 +0800 Subject: [PATCH 06/10] revert regress/map_crash.c back to original code --- regress/Makefile | 6 ++---- regress/map_crash.c | 42 +++++++++++++++++++++--------------------- 2 files changed, 23 insertions(+), 25 deletions(-) diff --git a/regress/Makefile b/regress/Makefile index 10f6c0d6..4fcfac82 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,5 @@ -.PHONY: all clean - -CFLAGS+=-I../include -LDFLAGS=-L.. -lunicorn +CFLAGS += -I../include +LDFLAGS = -L.. -lunicorn TESTS = map_crash diff --git a/regress/map_crash.c b/regress/map_crash.c index 375a3fa1..4d6bc8fe 100644 --- a/regress/map_crash.c +++ b/regress/map_crash.c @@ -4,27 +4,27 @@ #include #define UC_BUG_WRITE_SIZE 13000 -//#define UC_BUG_WRITE_ADDR 0x1000 -#define UC_BUG_WRITE_ADDR 0x2000 +#define UC_BUG_WRITE_ADDR 0x1000 // fix this by change this to 0x2000 int main() { - int size; - uint8_t *buf; - uch uh; - uc_err err = uc_open (UC_ARCH_X86, UC_MODE_64, &uh); - if (err) { - fprintf (stderr, "Cannot initialize unicorn\n"); - return 1; - } - size = UC_BUG_WRITE_SIZE; - buf = malloc (size); - if (!buf) { - fprintf (stderr, "Cannot allocate\n"); - return 1; - } - memset (buf, 0, size); - uc_mem_map (uh, UC_BUG_WRITE_ADDR, size); - uc_mem_write (uh, UC_BUG_WRITE_ADDR, buf, size); - uc_close (&uh); - return 0; + int size; + uint8_t *buf; + uch uh; + uc_err err = uc_open (UC_ARCH_X86, UC_MODE_64, &uh); + if (err) { + fprintf (stderr, "Cannot initialize unicorn\n"); + return 1; + } + size = UC_BUG_WRITE_SIZE; + buf = malloc (size); + if (!buf) { + fprintf (stderr, "Cannot allocate\n"); + return 1; + } + memset (buf, 0, size); + if (!uc_mem_map (uh, UC_BUG_WRITE_ADDR, size)) { + uc_mem_write (uh, UC_BUG_WRITE_ADDR, buf, size); + } + uc_close (&uh); + return 0; } From 62908b96eb3600431d180d57da6389205bd08435 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Mon, 24 Aug 2015 22:25:28 +0800 Subject: [PATCH 07/10] update .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 271960ff..7adf5b9e 100644 --- a/.gitignore +++ b/.gitignore @@ -79,3 +79,5 @@ tmp/ bindings/python/build/ config.log + +regress/map_crash From c5d99777f47042d8768900ace22eafae0d90a7e7 Mon Sep 17 00:00:00 2001 From: pancake Date: Mon, 24 Aug 2015 17:02:14 +0200 Subject: [PATCH 08/10] Use const in uc_mem_write and derivates --- include/uc_priv.h | 2 +- include/unicorn/unicorn.h | 2 +- qemu/unicorn_common.h | 2 +- regress/Makefile | 2 +- uc.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/include/uc_priv.h b/include/uc_priv.h index efff0e7e..c9e19f95 100644 --- a/include/uc_priv.h +++ b/include/uc_priv.h @@ -28,7 +28,7 @@ typedef int (*reg_access_t)(uch handle, unsigned int regid, void *value); typedef void (*reg_reset_t)(uch handle); -typedef bool (*uc_write_mem_t)(AddressSpace *as, hwaddr addr, uint8_t *buf, int len); +typedef bool (*uc_write_mem_t)(AddressSpace *as, hwaddr addr, const uint8_t *buf, int len); typedef bool (*uc_read_mem_t)(AddressSpace *as, hwaddr addr, uint8_t *buf, int len); diff --git a/include/unicorn/unicorn.h b/include/unicorn/unicorn.h index 0063ba5a..d5bb350a 100644 --- a/include/unicorn/unicorn.h +++ b/include/unicorn/unicorn.h @@ -303,7 +303,7 @@ uc_err uc_reg_read(uch handle, int regid, void *value); for detailed error). */ UNICORN_EXPORT -uc_err uc_mem_write(uch handle, uint64_t address, uint8_t *bytes, size_t size); +uc_err uc_mem_write(uch handle, uint64_t address, const uint8_t *bytes, size_t size); /* Read a range of bytes in memory. diff --git a/qemu/unicorn_common.h b/qemu/unicorn_common.h index 2a6a0668..93f1c5f4 100644 --- a/qemu/unicorn_common.h +++ b/qemu/unicorn_common.h @@ -14,7 +14,7 @@ static inline bool cpu_physical_mem_read(AddressSpace *as, hwaddr addr, } static inline bool cpu_physical_mem_write(AddressSpace *as, hwaddr addr, - uint8_t *buf, int len) + const uint8_t *buf, int len) { return !cpu_physical_memory_rw(as, addr, (void *)buf, len, 1); } diff --git a/regress/Makefile b/regress/Makefile index 4fcfac82..8f8d2556 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ CFLAGS += -I../include LDFLAGS = -L.. -lunicorn -TESTS = map_crash +TESTS = map_crash sigill all: $(TESTS) diff --git a/uc.c b/uc.c index ec337d36..cef74de1 100644 --- a/uc.c +++ b/uc.c @@ -356,7 +356,7 @@ uc_err uc_mem_read(uch handle, uint64_t address, uint8_t *bytes, size_t size) UNICORN_EXPORT -uc_err uc_mem_write(uch handle, uint64_t address, uint8_t *bytes, size_t size) +uc_err uc_mem_write(uch handle, uint64_t address, const uint8_t *bytes, size_t size) { struct uc_struct *uc = (struct uc_struct *)(uintptr_t)handle; From 11c20418d7965e06d7b0413f61f2303e586c2f3e Mon Sep 17 00:00:00 2001 From: pancake Date: Mon, 24 Aug 2015 17:07:33 +0200 Subject: [PATCH 09/10] Test for ilegal instruction exception --- regress/Makefile | 2 +- regress/sigill.c | 44 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 regress/sigill.c diff --git a/regress/Makefile b/regress/Makefile index 4fcfac82..8f8d2556 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ CFLAGS += -I../include LDFLAGS = -L.. -lunicorn -TESTS = map_crash +TESTS = map_crash sigill all: $(TESTS) diff --git a/regress/sigill.c b/regress/sigill.c new file mode 100644 index 00000000..099bbec3 --- /dev/null +++ b/regress/sigill.c @@ -0,0 +1,44 @@ +#include +#include +#include +#include + +#define UC_BUG_WRITE_SIZE 128 +#define UC_BUG_WRITE_ADDR 0x1000 // fix this by change this to 0x2000 + +int got_sigill = 0; + +void _interrupt(uch handle, uint32_t intno, void *user_data) { + if (intno == 6) { + uc_emu_stop (handle); + got_sigill = 1; + } +} + +int main() { + int size; + uint8_t *buf; + uch uh; + uch uh_trap; + uc_err err = uc_open (UC_ARCH_X86, UC_MODE_64, &uh); + if (err) { + fprintf (stderr, "Cannot initialize unicorn\n"); + return 1; + } + size = UC_BUG_WRITE_SIZE; + buf = malloc (size); + if (!buf) { + fprintf (stderr, "Cannot allocate\n"); + return 1; + } + memset (buf, 0, size); + if (!uc_mem_map (uh, UC_BUG_WRITE_ADDR, size)) { + uc_mem_write (uh, UC_BUG_WRITE_ADDR, + (const uint8_t*)"\xff\xff\xff\xff\xff\xff\xff\xff", 8); + } + uc_hook_add (uh, &uh_trap, UC_HOOK_INTR, _interrupt, NULL); + uc_emu_start (uh, UC_BUG_WRITE_ADDR, UC_BUG_WRITE_ADDR+8, 0, 1); + uc_close (&uh); + printf ("Correct: %s\n", got_sigill? "YES": "NO"); + return got_sigill? 0: 1; +} From 9d9c0d1a25ad46d945b59228a7cfb566b53aaaf3 Mon Sep 17 00:00:00 2001 From: Nguyen Anh Quynh Date: Tue, 25 Aug 2015 00:02:31 +0800 Subject: [PATCH 10/10] uc_emu_start() report error on illegal instruction at the output --- .gitignore | 2 ++ qemu/target-i386/unicorn.c | 11 +++++++++++ regress/Makefile | 2 +- regress/sigill2.c | 29 +++++++++++++++++++++++++++++ uc.c | 10 +++++----- 5 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 regress/sigill2.c diff --git a/.gitignore b/.gitignore index 7adf5b9e..50b09750 100644 --- a/.gitignore +++ b/.gitignore @@ -81,3 +81,5 @@ bindings/python/build/ config.log regress/map_crash +regress/sigill +regress/sigill2 diff --git a/qemu/target-i386/unicorn.c b/qemu/target-i386/unicorn.c index b3111cb0..8235c0e5 100644 --- a/qemu/target-i386/unicorn.c +++ b/qemu/target-i386/unicorn.c @@ -938,6 +938,16 @@ int x86_uc_machine_init(struct uc_struct *uc) return machine_initialize(uc); } +static bool x86_stop_interrupt(int intno) +{ + switch(intno) { + default: + return false; + case EXCP06_ILLOP: + return true; + } +} + void pc_machine_init(struct uc_struct *uc); __attribute__ ((visibility ("default"))) @@ -954,5 +964,6 @@ void x86_uc_init(struct uc_struct* uc) uc->reg_reset = x86_reg_reset; uc->release = x86_release; uc->set_pc = x86_set_pc; + uc->stop_interrupt = x86_stop_interrupt; uc_common_init(uc); } diff --git a/regress/Makefile b/regress/Makefile index 8f8d2556..d0becfea 100644 --- a/regress/Makefile +++ b/regress/Makefile @@ -1,7 +1,7 @@ CFLAGS += -I../include LDFLAGS = -L.. -lunicorn -TESTS = map_crash sigill +TESTS = map_crash sigill sigill2 all: $(TESTS) diff --git a/regress/sigill2.c b/regress/sigill2.c new file mode 100644 index 00000000..97cd7199 --- /dev/null +++ b/regress/sigill2.c @@ -0,0 +1,29 @@ +#include +#include +#include +#include + +#define UC_BUG_WRITE_SIZE 128 +#define UC_BUG_WRITE_ADDR 0x2000 + +int main() +{ + int size; + uint8_t *buf; + uch uh; + uch uh_trap; + uc_err err = uc_open (UC_ARCH_X86, UC_MODE_64, &uh); + if (err) { + fprintf (stderr, "Cannot initialize unicorn\n"); + return 1; + } + size = UC_BUG_WRITE_SIZE; + if (!uc_mem_map (uh, UC_BUG_WRITE_ADDR, size)) { + uc_mem_write (uh, UC_BUG_WRITE_ADDR, + (const uint8_t*)"\xff\xff\xff\xff\xff\xff\xff\xff", 8); + } + err = uc_emu_start (uh, UC_BUG_WRITE_ADDR, UC_BUG_WRITE_ADDR+8, 0, 1); + uc_close (&uh); + printf ("Error = %u (%s)\n", err, uc_strerror(err)); + return err? -1: 0; +} diff --git a/uc.c b/uc.c index cef74de1..c1d6479c 100644 --- a/uc.c +++ b/uc.c @@ -410,6 +410,11 @@ uc_err uc_emu_start(uch handle, uint64_t begin, uint64_t until, uint64_t timeout // invalid handle return UC_ERR_UCH; + // reset the counter + uc->emu_counter = 0; + uc->stop_request = false; + uc->invalid_error = UC_ERR_OK; + switch(uc->arch) { default: break; @@ -474,11 +479,6 @@ uc_err uc_emu_start(uch handle, uint64_t begin, uint64_t until, uint64_t timeout // emulation is done uc->emulation_done = true; - // reset the counter - uc->emu_counter = 0; - uc->stop_request = false; - uc->invalid_error = UC_ERR_OK; - return uc->invalid_error; }